Merge remote-tracking branch 'goog/security-aosp-mnc-mr1-release' into HEAD
diff --git a/core/jni/android_database_CursorWindow.cpp b/core/jni/android_database_CursorWindow.cpp
index 580ac02..a86e57d 100644
--- a/core/jni/android_database_CursorWindow.cpp
+++ b/core/jni/android_database_CursorWindow.cpp
@@ -182,6 +182,10 @@
if (type == CursorWindow::FIELD_TYPE_BLOB || type == CursorWindow::FIELD_TYPE_STRING) {
size_t size;
const void* value = window->getFieldSlotValueBlob(fieldSlot, &size);
+ if (!value) {
+ throw_sqlite3_exception(env, "Native could not read blob slot");
+ return NULL;
+ }
jbyteArray byteArray = env->NewByteArray(size);
if (!byteArray) {
env->ExceptionClear();
@@ -217,6 +221,10 @@
if (type == CursorWindow::FIELD_TYPE_STRING) {
size_t sizeIncludingNull;
const char* value = window->getFieldSlotValueString(fieldSlot, &sizeIncludingNull);
+ if (!value) {
+ throw_sqlite3_exception(env, "Native could not read string slot");
+ return NULL;
+ }
if (sizeIncludingNull <= 1) {
return gEmptyString;
}
diff --git a/include/androidfw/CursorWindow.h b/include/androidfw/CursorWindow.h
index 8a2979a..2eb349f 100644
--- a/include/androidfw/CursorWindow.h
+++ b/include/androidfw/CursorWindow.h
@@ -18,6 +18,7 @@
#define _ANDROID__DATABASE_WINDOW_H
#include <cutils/log.h>
+#include <inttypes.h>
#include <stddef.h>
#include <stdint.h>
@@ -128,12 +129,13 @@
inline const char* getFieldSlotValueString(FieldSlot* fieldSlot,
size_t* outSizeIncludingNull) {
*outSizeIncludingNull = fieldSlot->data.buffer.size;
- return static_cast<char*>(offsetToPtr(fieldSlot->data.buffer.offset));
+ return static_cast<char*>(offsetToPtr(
+ fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size));
}
inline const void* getFieldSlotValueBlob(FieldSlot* fieldSlot, size_t* outSize) {
*outSize = fieldSlot->data.buffer.size;
- return offsetToPtr(fieldSlot->data.buffer.offset);
+ return offsetToPtr(fieldSlot->data.buffer.offset, fieldSlot->data.buffer.size);
}
private:
@@ -166,7 +168,16 @@
bool mReadOnly;
Header* mHeader;
- inline void* offsetToPtr(uint32_t offset) {
+ inline void* offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) {
+ if (offset >= mSize) {
+ ALOGE("Offset %" PRIu32 " out of bounds, max value %zu", offset, mSize);
+ return NULL;
+ }
+ if (offset + bufferSize > mSize) {
+ ALOGE("End offset %" PRIu32 " out of bounds, max value %zu",
+ offset + bufferSize, mSize);
+ return NULL;
+ }
return static_cast<uint8_t*>(mData) + offset;
}
diff --git a/libs/androidfw/CursorWindow.cpp b/libs/androidfw/CursorWindow.cpp
index 166863c..5694115 100644
--- a/libs/androidfw/CursorWindow.cpp
+++ b/libs/androidfw/CursorWindow.cpp
@@ -98,9 +98,14 @@
if (dupAshmemFd < 0) {
result = -errno;
} else {
+ // the size of the ashmem descriptor can be modified between ashmem_get_size_region
+ // call and mmap, so we'll check again immediately after memory is mapped
void* data = ::mmap(NULL, size, PROT_READ, MAP_SHARED, dupAshmemFd, 0);
if (data == MAP_FAILED) {
result = -errno;
+ } else if (ashmem_get_size_region(dupAshmemFd) != size) {
+ ::munmap(data, size);
+ result = BAD_VALUE;
} else {
CursorWindow* window = new CursorWindow(name, dupAshmemFd,
data, size, true /*readOnly*/);
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 7654cc9..9d79325 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -12641,6 +12641,20 @@
+ perm.info.name + "; ignoring new declaration");
pkg.permissions.remove(i);
}
+ } else if (!"android".equals(pkg.packageName)) {
+ // Prevent apps to change protection level to dangerous from any other
+ // type as this would allow a privilege escalation where an app adds a
+ // normal/signature permission in other app's group and later redefines
+ // it as dangerous leading to the group auto-grant.
+ if ((perm.info.protectionLevel & PermissionInfo.PROTECTION_MASK_BASE)
+ == PermissionInfo.PROTECTION_DANGEROUS) {
+ if (bp != null && !bp.isRuntime()) {
+ Slog.w(TAG, "Package " + pkg.packageName + " trying to change a "
+ + "non-runtime permission " + perm.info.name
+ + " to runtime; keeping old protection level");
+ perm.info.protectionLevel = bp.protectionLevel;
+ }
+ }
}
}
}
